Scams, Braz and the Financial Accountability Regime – Financial services facing into scams in 2024

By Mark Bland, Partner, Geoff McCarthy, Special Counsel and Angela Wooton, Paralegal.

“Scams” have continued to be in sharp focus for the Minister for Financial Services this year. Regulators are coordinating their efforts through the National Anti-Scam Centre and other initiatives. While the current priorities are the banking, digital platform and telecommunications sectors, the Minister has flagged the superannuation sector as next in line for a Mandatory Industry Code. There are other forces exacerbating the operational risk management challenges for banks, insurers and superannuation trustees such that 2024 will be a year of uplift for them on scam prevention.

“Scam management” has also featured in the context of the Financial Accountability Regime (FAR), with ASIC and APRA including “scam management as an “ADI Key Function” in the final Legislative Instruments[1] made on 6 March 2024, and also included “scam management” as an “Insurance Key Function” and “RSE licensee Key Function” in a consultation package issued on 14 March 2024.[2]

While an accountable entity is not required to allocate an accountable person to each key function, ASIC and APRA have made clear that a “Key Function” is an area of particular importance from a prudential and conduct perspective.[3]

Further to this, a recent Federal Court decision has landed strict liability on trustees for any rollover scam. This and the rapid growth in scams will have trustees considering what is required of them under their AFSL general obligations, SIS Act covenants, fiduciary duties and now under FAR. Trustees face the operational risk management challenge of:

 

1.  doing what is required to prevent scams; and
2. meeting the strict timeframe for processing rollovers, which is generally within 3 business days.

AFCA identified last month the failure to meet these rollover timelines as a systemic issue for superannuation trustees.

In this article we focus on the outcome and significant implications for trustees of the Federal Court decision, Braz v Host-Plus Pty Ltd [2023] FCA 1454 (23 November 2023) (Braz).

Braz v Hostplus

Braz was an appeal to the Federal Court of an AFCA decision that the trustee was not required to compensate a member whose entire superannuation benefit was rolled into the scammer’s bank account. The scammer’s bank account was presented to the trustee as the account for the member’s new self-managed super fund (SMSF). The court ordered that the AFCA determination be set aside to be redetermined by AFCA. Hostplus did not appeal the decision. We await AFCA’s further determination.

The most significant finding by the Court was that a rollover request from scammer is not a request from “the member” for the purpose of the rollover Superannuation Industry (Supervision) Regulations 1994 (SIS Regs). The implications of this finding are that in such circumstances:

 

1. complying with the rollover identification requirements is not sufficient to protect the trustee; and
2. acting on such a rollover request would cause the trustee to breach the rollover standards.

Braz therefore presents significant risks to superannuation trustees, even for highly sophisticated rollover scams where the trustee has exercised due care and diligence and where the scam was facilitated by the member.

Facts

Mr Lee Braz was a member of the InTrust Super Fund. In July 2020, he intended to set up a SMSF and engaged with what he thought was a legitimate accounting firm, PS Kitt & Co, but had unwittingly engaged a scammer using the name PS Kitt & Co Pty Ltd.

Thinking he was engaging with a legitimate firm, Mr Braz provided the scammer with a form for the purpose of setting up a SMSF. This form included his date of birth, TFN, address, photocopy of his passport and his signature.  The scammer then lodged a Benefit Payment Application form with InTrust Super without the knowledge or approval of the applicant using information provided in this form. At the same time, the scammer also submitted a completed ATO form entitled “Rollover initiation request to transfer whole balance of superannuation benefits to your self-managed super fund”.

After InTrust Super recorded that SMSF verification had been obtained, the full balance of $178,408.89 was transferred to the bank account of “The Trustee for Lee Braz Family Super Fund”, nominated by the scammer.

Procedural History – AFCA May 2023 determination

In the initial complaint, the applicant claimed that the trustee should reimburse his account balance because they had accepted fraudulent information when processing the transfer. The successor trustee to InTrust Super (Hostplus) claimed that the applicant compromised the security of his account by providing the scammer with his confidential information and that the information provided to InTrust by the scammer was not irregular or suspicious, meaning that it carried out its obligations under the relevant legislation correctly.

On 26 May 2023, AFCA concluded that the trustee’s decision not to provide compensation was fair and reasonable in its operation in relation to the applicant. This was based on the findings that the trustee of InTrust Super had:

• acted to meet its transfer obligations;
• complied with process checks and administrative controls in place at the time;
• had not committed an error;
• correctly verified the information it received which whilst being forged, did not require any further checking and verification than when the rollover was processed; and
• that the information that it received did not appear suspicious.

Issues on appeal  

The applicant appealed the decision, submitting to the Federal Court that AFCA erred in its interpretation and purported application of reg 6.33 and in doing so, incorrectly applied reg 6.33 of the SIS Regs.

In relation to the reference in the AFCA determination to InTrust Super meeting its obligations under reg 6.33E(2) of the SIS Regulations, the applicant submitted that reg 6.33E did not come into operation in relation to this transaction.

Regulation 6.33E requires that a trustee take certain verification and validation steps when it “receives a request under regulation 6.33 to rollover or transfer” all or part of a member’s benefit to a SMSF. A request under regulation 6.33 is a request by a member.

The applicant submitted there was no request made by a member under reg 6.33 as it was in fact the scammer who made the request.

The applicant also referred to reg 6.28 which prohibits a trustee rolling over a member’s funds unless “ . . . the member has given to the trustee the member’s consent to the rollover.” The applicant submitted that the member’s benefits in a regulated superannuation fund cannot be rolled over from the fund unless the member has given the former trustee the member’s consent to the rollover.

The Court found that Reg 6.33E operates to place obligations on the trustee of the transferring fund on receiving a request from the member which are outlined in Reg 6.33E(2). The applicant submitted that AFCA should have found the trustee of InTrust Super did not satisfy its obligations and that that regulation was not enlivened as there was no request by the applicant under reg 6.33(1). If reg 6.33E(1) did not apply, there would be no question of satisfying obligations under reg 6.33E(2).

The court found that AFCA had failed to consider the issue of whether a forged request by a third party could be regarded as a request from a member. It also found that AFCA erred in its interpretation of the application of reg 6.33E, particularly in the context of its conclusion in that compliance with reg 6.33E meant that the trustee’s determination not to require confirmation was fair and reasonable.

It was held that reg 6.33 only applies in a case of an application by the member rather than another person purporting to be the member and therefore its operation had been misconstrued by AFCA.

The Court held that AFCA had failed to consider the impact of the lack of consent, including the effect of reg 6.33 – failing to take into account whether the member had made a request in writing as contemplated under reg 6.33(1) that the whole of the member’s withdrawal benefit be rolled over and whether the member ever provided consent to such a rollover.

The Court noted that AFCA referred to the actions of the applicant on multiple occasions regarding his provision of confidential information to the scammer but did not provide in its reasons any explanation regarding whether any of AFCA’s conclusions were based on these facts.  There might still be scope for AFCA to assess whether a member who unknowingly facilitated a fraudulent withdrawal may be required to contribute by bearing some of the loss.

Implications

Contraventions

While the Court made no express finding on reg 6.28, the similarity in drafting of reg 6.33E and reg 6.28(1)(a), makes it likely that an implication of the judgment will be that a forged request for a rollover from a third party would not amount to consent by a member under reg 6.28(1)(a). As a result, if the trustee complies with the fraudulent request, it will contravene the operating standard in reg 6.17(2B)(b).

An intentional or reckless breach of an operating standard such as that in reg 6.17 is an offence under s34 of the SIS Act. Any failure to comply is a contravention.

If a trustee provides a member’s personal information to a third party in seeking to comply with the payment standards in regs 6.33 to 6.38 when it has not received a rollover request from the actual member, it would not be acting in accordance with a payment standard . If it involves the disclosure of the member’s personal information, it may also be a breach of the Privacy Act.

A contravention of an operating standard or a payment standard is a contravention of an Australian financial services licensee’s general obligation under s 912A(1)(c) of the Corporations Act 2001 to comply with financial services law.  An underlying inadequacy of systems and processes may also amount to a contravention of the s912A(1)(a) to ensure financial services are provided efficiently, honestly and fairly. This is a civil penalty provision with a maximum penalty of over $15.65 million.

Additionally, if a trustee fails to implement effective systems for fraud detection, it may contravene the care, skill and diligence covenant (s 52(2)(b) of the SIS Act). This could also amount to a breach of the trust deed, depending on its terms under s54C of the SIS Act.

CPS 230 Operational Risk Management

Under Prudential Standard CPS 230 Operational Risk Management applying from 1 July 2025, an APRA regulated entity such as an RSE licensee must meet various requirements in relation to operational risk.  These include that it must:

1. “effectively manage its operational risks, and set and maintain appropriate standards for conduct and compliance … and manage its risk from service providers” (paragraph 12);
2. “identify, assess and manage operational risks that may result from inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and events” (paragraph 13); and
3. have its internal audit function :review any proposed material arrangement involving the outsourcing of a critical operation” and  “regularly report to the Board or Board Audit Committee on compliance of such arrangements with the entity’s service provider management policy” (paragraph 60).

Breach reporting

A contravention of operating standards or payments standards would be reportable to APRA if the RSE licensee becomes aware of the breach and that it is significant.

For this purpose significance is to be determined by reference to:

1. the number or frequency of similar previous breaches;
2. the impact the breach has or will have on the RSE licensee’s ability to fulfil its obligations as trustee of the superannuation entity;
3. the extent to which the breach indicates that the RSE licensee’s arrangements to ensure compliance with the RSE licensee law or Chapter 2M of the Corporations Act 2001 might be inadequate; and
4. the actual or potential financial loss arising or that will arise from the breach to the beneficiaries of the entity or to the RSE licensee;

An RSE licensee would also have to report to ASIC if it becomes aware there are reasonable grounds to believe a significant breach of the SIS Act had occurred, having regard to a similar test.

A trustee may be on safer ground relying on reg 6.28(b) if it can evidence that it believes, on reasonable grounds, that the trustee of the regulated superannuation fund into which the benefits are to be rolled over has received, from the member, consent to the rollover.

Financial implications for trustees

The penalties discussed above would have to be paid by a trustee out of its own assets, and could not be paid from fund assets.

A trustee is liable to compensate a member who suffers loss as a result of the trustee’s contravention of a SIS Act covenant (s 55 of the SIS Act).

If the trustee makes sufficient efforts such that the breach does not  result from an intentional or reckless failure to perform its duties, it is arguable, but not certain, that a trustee could be indemnified by the Fund under s 56 of the SIS Act for its liability to the member.

Individual accountable persons responsible for scam management may also have to face individual financial implications.

Conclusion

The Government and regulators are currently highly focused on scam management, and the implications of the Braz decision, the forthcoming CPS 230 and FAR all make it an imperative that trustees take greater steps now to protect their members from scams.

[1] Financial Accountability Regime Act (Information for register) Regulator Rules 2024 and the Financial Accountability Regime (Consequential Amendments) Transitional Rules 2024

[2]  Draft Financial Accountability Regime Regulator Rules Amendment Instrument No. 1 of 2024

[3] APRA & ASIC Guide: Financial Accountability Regime: Information for accountable entities (RG  279), page 13